Staying in business â€“ insurance issues by David Kaye
Assessing insurance needs
It is a major disappointment, when looking at many an organisationâ€™s insurance
programme, to see just how much the design of the protection package is driven
by the â€˜off-the-shelfâ€™ insurersâ€™ products rather than by the risks of the organisa-
tion itself.
The visionary risk manager has been kicking against those traces for some
years now and the successful ones have encouraged their boards to grasp the
much wider values of risk management. Another driving force has been the
ever-increasing interest by regulators and stock markets in the risks being car-
ried by organisations they police or, in turn, in which they have investments.
While publicly quoted companies and some others have, for decades, had
sophisticated financial risk models in place, these regulators have increasingly
been driving organisations to manage and give information regarding non-
financial risks. These are much more amorphic challenges, where boards are
much less experienced and feel much less comfortable.
Organisations are seeing more and more that both the tasks and the oppor-
tunities of risk management are much wider than auditing the flows of money
Part B â€“ Overview of the Economic Aspects of Business Risks
188

and other assets; and seeing more and more the business opportunities that lie
in understanding and managing risk; and thus seeing measured risks not only
as a threat, but also as an opportunity for effective business development.
An important dimension for managing potentially catastrophic risk is the
issue of â€˜timeoutâ€™. An organisationâ€™s ability, to step out of its marketplace for a
period of time while it handles crises, will vary dramatically. It will vary
between each organisation, its business models, its regulatory environment, its
marketplace, the ability of competitors to react quickly and the demands of its
own specific range of stakeholders. The first and often the most damaging thing
to be lost is the value of the brand and other credibilities. This could happen in
minutes in some industries or after days or weeks in others.

The organisationâ€™s dependencies
When considering the pressures on an organisation facing catastrophic damage,
it is a valuable thought process to stand back from the day-to-day aspects of the
business and think through the individual foundation stones of that organisa-
tion. Only then, I suggest, can we see the real post-damage pressures, and the
needs the directors may have to face when struggling to keep the business or
organisation alive.
In recent years, there have been important changes in the way businesses
deliver and market their own products, changes too in their relationships with
their stakeholders, and even in the risks themselves. These changes are influ-
encing how potential damage can hit the very corner stones of the organisation,
by following not only â€˜newâ€™ risks but also a new level of damage caused by â€˜oldâ€™
risks. Often the real consequences of damage, moving right up and through the
organisation, are unrecognisable from the consequences of a similar incident
some years ago.
Chapter 8 â€“ Business interruption and risk management 189

To explain; clear to all business watchers are the dramatic changes in the
way that businesses have reorganised themselves as they take up the opportun-
ities now available to them. These opportunities have emerged from new
technology that has enabled faster and direct business-to-customer and business-
to-business communications. The sheer scale of merged companies, encour-
aged by more open markets across the developed world and the internet, have
enabled them to be increasingly multinational. Spin-offs have been the ability
to squeeze new values out of supply chains and distribution chains â€“ outsourcing.
These new alternatives to large direct labour forces are now enabling a shift of
power base from the workforces towards the management.
During a potentially catastrophic disaster in a modern multinational, the
boardâ€™s attention is on the survival of the business. The most urgent concern is
not the replacing of buildings and contents (and/or defending litigation). That
is the relatively easy bit. The massive organisations of today have, however,
built into their procedures some new and dangerous points of exposure that, if
and when the risk incident occurs, could remove crucial dependencies on
which the whole organisation depends. In other words, a sudden death or
removal from their marketplace is now increasingly, not less, likely.
It is valuable for the risk manager to consider the organisation through the
perspective of its stakeholdersâ€™ expectations, and through whether the failure
to meet any one of them can be a single point of potential catastrophic failure.
Changing risks within the ingredients of the delivery process:

Delivery chain: the delivery chain â€“ sometimes called the â€˜value chainâ€™ â€“ is
often unrecognisable from the cosy, locally controlled, in-house delivery
chain of yore. A failure, deep within a third party, just in time, supply
chain, can have catastrophic and immediate consequences on the final
production line.
Those jobholders who immerse themselves in continuity risk have a
healthy respect for whether the in-house continuity management will or will
not work in circumstances that can only be guessed at. Moving on into
assuming confidence about a third party organisationâ€™s planning increases
the difficulty and exposure exponentially!
Technology: the dependence on technology brings its own risks and not just
the obvious e-commerce exposures (see also Chapter 11). A technological
failure can often be the single point of failure that could bring a multinational
to a halt right across its entire organisation. That failure may not just be elec-
tronic, it may be security of information, communications, software or even
the hardware infrastructure within which the electronics reside;
Intellectual assets: modern organisations have dependencies on intellectual
assets that cannot possibly be overemphasised. Many a 21st century organ-
isation is no more that the sum total of owned (or rented) intellectual assets,
a contracted-out delivery and marketing process, and a group of key stake-
holders who can move away as fast as they moved within. The intellectual
assets are much more than data on computer databases. These assets lie fur-
ther in licences, paper and even in employee brains. The resilience depends
Part B â€“ Overview of the Economic Aspects of Business Risks
190

not only on the safety from harm of this information but also on the ability to
regain access. Access from elsewhere needs to be possible, not only phys-
ically, but also legally or contractually. The Data Protection Act defines quite
clearly who can use what personal information and for what purpose; as also
may the contracts right through the various layers of the supply chain;
The brand: this is perceived as credibility among the range of stakeholders
and is a single, organisation-wide value on which the entire organisation
depends for its survival; or at the very least for the current market position
that it enjoys. Without this there may be no company left; as has been found
out the hard way by too many organisations; and
Human resources: as said, the relationships with workforces are very differ-
ent than before. Any organisation that gives the impression that its workforce
is as disposable as an old piece of office furniture or leftover food from the
table is naive to believe that, in a crisis, that same workforce will continue
the loyalty and deference of years ago. More and more â€˜employeesâ€™ have been
â€˜outsourcedâ€™ to an entirely different organisation which of course has its own
stakeholders and its own business models and preferences. A crisis almost
always demands a sudden switch of urgencies and massively increased pres-
sures on one part of the organisation. This may be to meet new, urgent com-
munication needs to a new whole range of different people, or to set about
the urgent task of rebuilding a critical aspect of the working environment or
heal the break in the supply or delivery chain.
An employer can move internal resources around if the employees are sup-
portive and confident of the ultimate survival of the organisation. A third
party labour supplier may not wish â€“ nor be able to â€“ dramatically and
urgently move labour or infrastructure resources around so quickly (see also
Chapter 14).

Modern organisations
The modern organisation enjoys speeds and flexibilities from concept to
delivery that an organisation of the 20th century could only dream about.
This speed is not only in computer aided design work but right through to
the delivery of the product through business-to-business, and business-to-
customer, e-commerce delivery. Those same opportunities, however, enable
a competitor, seeing a weakened company, to quickly â€˜upsizeâ€™ and rapidly
get new choices in front of the damaged organisationâ€™s erstwhile customers.

Regulation: the risk that can totally remove an organisation the quickest is a
failure to continue to meet the requirements of a regulator or the wider law of
the country. If a regulator decides that the controls needed to remain within
the regulatory envelope have failed then the organisation is stone cold dead.
Only too often this is in the area of information on which the organisation
depends to deliver secure and effective control of the products sold.
Chapter 8 â€“ Business interruption and risk management 191

The evolution of impact
The risks themselves have therefore not only changed, but also the potential
for damage to the organisation from these new risks is totally different.
Furthermore, the potential for damage that can occur from old, perhaps insur-
able, risks can also be unrecognisable from the extent of damage we could
envisage in the past.
In older business models the organisation was dispersed around the host
country to be situated next to their customers. Now the product delivery is
often from one or two key and technological â€˜factoriesâ€™ that, if inaccessible,
could close down the whole organisation. Furthermore, these factories them-
selves depend on information technology and communication technology
hearts that can fit onto a postage stamp. Consequently the skills of an individ-
ual or small team can be skills on which the entire delivery of a multinational
depends. We have the potential and reality of much deeper impact from the
same incident that would have been a blip not many years ago.
It is not the loss of the hardware that is the real concern, it is the process
for which it is used, the data it stores; and what its introduction has done to the
wider production process. It has replaced large numbers of trained staff who
simply do not exist any more. It supplies the baseline product and client infor-
mation. It enables credibility in the audit standards and the audit trail. It has
the corporate formulae embedded within its software and it allows access by
other authorised personnel. It communicates internally and externally. It pro-
vides usable management information and it secures sensitive information.

Business survival
We need to meet the agenda of this particular discussion and to see how insur-
ance can aid the management of these risks that can threaten the very survival
of the organisation. A process of reducing the exposure to destruction is in two
underlying steps:
Identifying and managing any risks or impacts that have the potential to
destroy; and
An emergency response structure that limits damage, puts the heads back on
the chickens, and has prepared at least minimum resources for new urgent
and priority actions and deliveries.
These legs on which an organisation depends will include at least the:
Skills of the workforce;
Ability to communicate;
Brand value and other credibilities;
Legal and physical access to the information and other intellectual assets;
Alternate means of delivering urgent goods and services into the marketplace
fast enough to remain a credible player in that chosen marketplace â€“ and to
keep out the competitors;
Part B â€“ Overview of the Economic Aspects of Business Risks
192

Legality, credibility, security and with the approval of regulators;
Tools and information needed to remain in financial and operational control;
and
Ability to respond fast enough to keep the organisation alive.

The role of insurance
The insurance industry
If we are to assess the value of the insurance product to an organisation facing
meltdown, we therefore need to measure its values against these dependencies.
The roots of the insurance business therefore lie in spreading financial losses
across many people so that the impact on one is bearable.

Insurance products
It is important to retain this financial perspective as we delve deeper into
the relationships between insurance and the losses that are potentially
business destructive ones. Whereas insurance does not have any value
whatsoever to some insureds facing catastrophic loss, it would be unfair to
see this necessarily as a failure of the industry. It is after all, unfair to criti-
cise someone for not achieving what they do not set out to do. The ques-
tion is more about a matching and mismatching of products and needs;
and the responsibility to ensure a precise match must lie, not with the
insurer, nor with the broker, but with the organisation that is carrying the
risk. These clear, precise and unarguable responsibilities need to remain
â€˜on the tableâ€™ as we proceed further.

Operational risk is historically the natural world of casualty insurance
providers. Indeed the very brand values of a commercial property insurer are
built around the fact that the insurance provider will be there to â€˜see you OKâ€™
in the event of damage. The branding even includes a product named â€˜all risks
insuranceâ€™. We should stop a second and ask whether this product in particular
is seriously misnamed when taken into the very real world of an organisation
in distress. Having said all this, the responsibilities for ensuring a match
between risks carried and the insurance programme remain as defined in the
paragraph immediately above and are clear and loud.

Management of mismatches
We appear to have two fundamental mismatches between the product and
the particular potentially catastrophic needs of the insured:
* The first mismatch is that the insurer is contained by the need to reduce
all loss into monetary terms; whereas continuity managers see their
greatest exposures not to be monetary; but exposures to the operational
Chapter 8 â€“ Business interruption and risk management 193